From: Lennart Poettering Date: Tue, 9 Mar 2021 21:58:08 +0000 (+0100) Subject: tree-wide: make use of DISSECT_IMAGE_USR_NO_ROOT in various tools X-Git-Tag: v249-rc1~509^2~8 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d04faa4e191ac851ca08fbfda0efa89c4087cc99;p=thirdparty%2Fsystemd.git tree-wide: make use of DISSECT_IMAGE_USR_NO_ROOT in various tools Let's make use of the new dissection in all tools where this makes sense, which are all tools that dissect images, except for those which inherently operate on state/configuraiton and thus where an image without state nor configuration is useless (e.g. systemd-tmpfiles/systemd-firstboot/… --image= switch). --- diff --git a/src/core/execute.c b/src/core/execute.c index 35aea2f8301..e791c31b279 100644 --- a/src/core/execute.c +++ b/src/core/execute.c @@ -3247,7 +3247,7 @@ static int apply_mount_namespace( propagate_dir, incoming_dir, root_dir || root_image ? params->notify_socket : NULL, - DISSECT_IMAGE_DISCARD_ON_LOOP|DISSECT_IMAGE_RELAX_VAR_CHECK|DISSECT_IMAGE_FSCK, + DISSECT_IMAGE_DISCARD_ON_LOOP|DISSECT_IMAGE_RELAX_VAR_CHECK|DISSECT_IMAGE_FSCK|DISSECT_IMAGE_USR_NO_ROOT, error_path); /* If we couldn't set up the namespace this is probably due to a missing capability. setup_namespace() reports diff --git a/src/dissect/dissect.c b/src/dissect/dissect.c index cb96a57abee..06808a231e4 100644 --- a/src/dissect/dissect.c +++ b/src/dissect/dissect.c @@ -44,7 +44,7 @@ static const char *arg_image = NULL; static const char *arg_path = NULL; static const char *arg_source = NULL; static const char *arg_target = NULL; -static DissectImageFlags arg_flags = DISSECT_IMAGE_REQUIRE_ROOT|DISSECT_IMAGE_DISCARD_ON_LOOP|DISSECT_IMAGE_RELAX_VAR_CHECK|DISSECT_IMAGE_FSCK; +static DissectImageFlags arg_flags = DISSECT_IMAGE_REQUIRE_ROOT|DISSECT_IMAGE_DISCARD_ON_LOOP|DISSECT_IMAGE_RELAX_VAR_CHECK|DISSECT_IMAGE_FSCK|DISSECT_IMAGE_USR_NO_ROOT; static VeritySettings arg_verity_settings = VERITY_SETTINGS_DEFAULT; static JsonFormatFlags arg_json_format_flags = JSON_FORMAT_OFF; static PagerFlags arg_pager_flags = 0; diff --git a/src/gpt-auto-generator/gpt-auto-generator.c b/src/gpt-auto-generator/gpt-auto-generator.c index f9d0ca54214..dda9b188158 100644 --- a/src/gpt-auto-generator/gpt-auto-generator.c +++ b/src/gpt-auto-generator/gpt-auto-generator.c @@ -665,7 +665,13 @@ static int enumerate_partitions(dev_t devnum) { if (r <= 0) return r; - r = dissect_image(fd, NULL, NULL, DISSECT_IMAGE_GPT_ONLY|DISSECT_IMAGE_NO_UDEV, &m); + r = dissect_image( + fd, + NULL, NULL, + DISSECT_IMAGE_GPT_ONLY| + DISSECT_IMAGE_NO_UDEV| + DISSECT_IMAGE_USR_NO_ROOT, + &m); if (r == -ENOPKG) { log_debug_errno(r, "No suitable partition table found, ignoring."); return 0; diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c index a4ac8ed2bb7..00e2ba2654a 100644 --- a/src/nspawn/nspawn.c +++ b/src/nspawn/nspawn.c @@ -3581,8 +3581,12 @@ static int outer_child( * makes sure ESP partitions and userns are compatible. */ r = dissected_image_mount_and_warn( - dissected_image, directory, arg_uid_shift, - DISSECT_IMAGE_MOUNT_ROOT_ONLY|DISSECT_IMAGE_DISCARD_ON_LOOP| + dissected_image, + directory, + arg_uid_shift, + DISSECT_IMAGE_MOUNT_ROOT_ONLY| + DISSECT_IMAGE_DISCARD_ON_LOOP| + DISSECT_IMAGE_USR_NO_ROOT| (arg_read_only ? DISSECT_IMAGE_READ_ONLY : DISSECT_IMAGE_FSCK)| (arg_start_mode == START_BOOT ? DISSECT_IMAGE_VALIDATE_OS : 0)); if (r < 0) @@ -3669,8 +3673,14 @@ static int outer_child( if (dissected_image) { /* Now we know the uid shift, let's now mount everything else that might be in the image. */ - r = dissected_image_mount(dissected_image, directory, arg_uid_shift, - DISSECT_IMAGE_MOUNT_NON_ROOT_ONLY|DISSECT_IMAGE_DISCARD_ON_LOOP|(arg_read_only ? DISSECT_IMAGE_READ_ONLY : DISSECT_IMAGE_FSCK)); + r = dissected_image_mount( + dissected_image, + directory, + arg_uid_shift, + DISSECT_IMAGE_MOUNT_NON_ROOT_ONLY| + DISSECT_IMAGE_DISCARD_ON_LOOP| + DISSECT_IMAGE_USR_NO_ROOT| + (arg_read_only ? DISSECT_IMAGE_READ_ONLY : DISSECT_IMAGE_FSCK)); if (r == -EUCLEAN) return log_error_errno(r, "File system check for image failed: %m"); if (r < 0) @@ -5378,7 +5388,10 @@ static int run(int argc, char *argv[]) { } } else { - DissectImageFlags dissect_image_flags = DISSECT_IMAGE_REQUIRE_ROOT | DISSECT_IMAGE_RELAX_VAR_CHECK; + DissectImageFlags dissect_image_flags = + DISSECT_IMAGE_REQUIRE_ROOT | + DISSECT_IMAGE_RELAX_VAR_CHECK | + DISSECT_IMAGE_USR_NO_ROOT; assert(arg_image); assert(!arg_template); diff --git a/src/portable/portable.c b/src/portable/portable.c index 6c09e8bbd4f..aacc573ef6e 100644 --- a/src/portable/portable.c +++ b/src/portable/portable.c @@ -380,7 +380,7 @@ static int portable_extract_by_path( if (r < 0) return log_debug_errno(r, "Failed to create temporary directory: %m"); - r = dissect_image(d->fd, NULL, NULL, DISSECT_IMAGE_READ_ONLY|DISSECT_IMAGE_REQUIRE_ROOT|DISSECT_IMAGE_DISCARD_ON_LOOP|DISSECT_IMAGE_RELAX_VAR_CHECK, &m); + r = dissect_image(d->fd, NULL, NULL, DISSECT_IMAGE_READ_ONLY|DISSECT_IMAGE_REQUIRE_ROOT|DISSECT_IMAGE_DISCARD_ON_LOOP|DISSECT_IMAGE_RELAX_VAR_CHECK|DISSECT_IMAGE_USR_NO_ROOT, &m); if (r == -ENOPKG) sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Couldn't identify a suitable partition table or file system in '%s'.", path); else if (r == -EADDRNOTAVAIL) diff --git a/src/shared/discover-image.c b/src/shared/discover-image.c index 79c4c70a41c..a2f22619807 100644 --- a/src/shared/discover-image.c +++ b/src/shared/discover-image.c @@ -1198,7 +1198,12 @@ int image_read_metadata(Image *i) { if (r < 0) return r; - r = dissect_image(d->fd, NULL, NULL, DISSECT_IMAGE_REQUIRE_ROOT|DISSECT_IMAGE_RELAX_VAR_CHECK, &m); + r = dissect_image( + d->fd, + NULL, NULL, + DISSECT_IMAGE_REQUIRE_ROOT| + DISSECT_IMAGE_RELAX_VAR_CHECK| + DISSECT_IMAGE_USR_NO_ROOT, &m); if (r < 0) return r; diff --git a/src/sysext/sysext.c b/src/sysext/sysext.c index 9b1c4908a40..2ebb96c3978 100644 --- a/src/sysext/sysext.c +++ b/src/sysext/sysext.c @@ -509,7 +509,11 @@ static int merge_subprocess(Hashmap *images, const char *workspace) { _cleanup_(loop_device_unrefp) LoopDevice *d = NULL; _cleanup_(decrypted_image_unrefp) DecryptedImage *di = NULL; _cleanup_(verity_settings_done) VeritySettings verity_settings = VERITY_SETTINGS_DEFAULT; - DissectImageFlags flags = DISSECT_IMAGE_READ_ONLY|DISSECT_IMAGE_REQUIRE_ROOT|DISSECT_IMAGE_MOUNT_ROOT_ONLY; + DissectImageFlags flags = + DISSECT_IMAGE_READ_ONLY| + DISSECT_IMAGE_REQUIRE_ROOT| + DISSECT_IMAGE_MOUNT_ROOT_ONLY| + DISSECT_IMAGE_USR_NO_ROOT; r = verity_settings_load(&verity_settings, img->path, NULL, NULL); if (r < 0)